From: Archana Polampalli <archana.polampa...@windriver.com> gst-plugins-bad: Integer overflow leading to heap overwrite in MXF file handling with AES3 audio
Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com> Signed-off-by: Steve Sakoman <st...@sakoman.com> --- .../CVE-2023-40475.patch | 49 +++++++++++++++++++ .../gstreamer1.0-plugins-bad_1.20.7.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40475.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40475.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40475.patch new file mode 100644 index 0000000000..ab9ac7afaa --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40475.patch @@ -0,0 +1,49 @@ +From 72742dee30cce7bf909639f82de119871566ce39 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebast...@centricular.com> +Date: Thu, 10 Aug 2023 15:47:03 +0300 +Subject: [PATCH] mxfdemux: Check number of channels for AES3 audio + +Only up to 8 channels are allowed and using a higher number would cause +integer overflows when copying the data, and lead to out of bound +writes. + +Also check that each buffer is at least 4 bytes long to avoid another +overflow. + +Fixes ZDI-CAN-21661, CVE-2023-40475 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2897 + +Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/72742dee30cce7bf909639f82de119871566ce39] +CVE: CVE-2023-40475 + +Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com> +--- + gst/mxf/mxfd10.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/gst/mxf/mxfd10.c b/gst/mxf/mxfd10.c +index 03854d9303..0ad0d2d283 100644 +--- a/gst/mxf/mxfd10.c ++++ b/gst/mxf/mxfd10.c +@@ -101,7 +101,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, GstBuffer * buffer, + gst_buffer_map (buffer, &map, GST_MAP_READ); + + /* Now transform raw AES3 into raw audio, see SMPTE 331M */ +- if ((map.size - 4) % 32 != 0) { ++ if (map.size < 4 || (map.size - 4) % 32 != 0) { + gst_buffer_unmap (buffer, &map); + GST_ERROR ("Invalid D10 sound essence buffer size"); + return GST_FLOW_ERROR; +@@ -201,6 +201,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags, + GstAudioFormat audio_format; + + if (s->channel_count == 0 || ++ s->channel_count > 8 || + s->quantization_bits == 0 || + s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) { + GST_ERROR ("Invalid descriptor"); +-- +2.40.0 diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb index 52acb30d74..d5f1e794cd 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb @@ -11,6 +11,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad file://0003-ensure-valid-sentinals-for-gst_structure_get-etc.patch \ file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \ file://CVE-2023-40474.patch \ + file://CVE-2023-40475.patch \ " SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188354): https://lists.openembedded.org/g/openembedded-core/message/188354 Mute This Topic: https://lists.openembedded.org/mt/101631317/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
